[lxc-users] Internal networking of containers

Shidan shidan at gmail.com
Fri Oct 10 16:57:03 UTC 2014


Which chains are used for container to container?

On Fri, Sep 19, 2014 at 5:29 PM, Shidan <shidan at gmail.com> wrote:

> First I spoke to soon (by saying the problem is fixed with dnat for the
> output chain), now I can now ping the containers from the host and visa
> versa but not container to container using the containers external IP.
>
> Regarding your method, if you have IP aliases for the external addresses
> for the containers, the mac address will not be the containers address but
> the hosts and will get filtered by a significant number of upstream
> switches depending on their configuration ... so in this case you will need
> to use something like ebtables and put your switch in promiscuous mode,
> which I can't do. I can't use macvlan either as I am running unprivileged
> containers and it seems to be me it's not a very tested feature either.
>
> So now I have:
>
>                 iptables  -t nat -D POSTROUTING -s <internal_ip> ! -d
> 10.0.3.0/24 -o eth0 -j SNAT --to-source <external_ip>
>                 iptables  -t nat -D PREROUTING -d <external_ip> -i eth0 -j
> DNAT --to-destination <internal_ip>
>                 iptables  -t nat -D OUTPUT -d <external_ip> -j DNAT
> --to-destination <internal_ip>
>
> What am I missing for container to container addressing using the external
> IPs?
>
> -- Shidan Gouran
>
>
> On Fri, Sep 19, 2014 at 12:51 AM, Dave Pedu <lxc at davepedu.com> wrote:
> >
> > Instead of using iptables, you can give a container an network interface
> (for a total of two).
> >
> > On my system I have an ethernet bridge, br0, with the host's main
> interface on in. Then, in a container's config -
> >
> > # primary, public interface 192.168.1.x from my router
> > lxc.network.type = veth
> > lxc.network.hwaddr = 00:16:3e:e1:92:a3
> > lxc.network.link = br0
> > lxc.network.flags = up
> > lxc.network.name = eth0
> > lxc.network.veth.pair = vethplex0
> >
> > # second, private interface 10.0.3.x
> > lxc.network.type = veth
> > lxc.network.hwaddr = 00:16:3e:e1:92:a4
> > lxc.network.link = lxcbr0
> > lxc.network.flags = up
> > lxc.network.name = eth1
> > lxc.network.veth.pair = vethplex1
> >
> >
> > On 2014-09-18 21:19, Shidan wrote:
> >>
> >> Just figured it out a fix, I think. For containers to address each
> >> other by both external and internal IPs, I set the DNAT rule on the
> >> OUTPUT and PREROUTING chain, instead of just on the PREROUTING as
> >> above.
> >>
> >> On Thu, Sep 18, 2014 at 11:03 PM, Shidan <shidan at gmail.com> wrote:
> >>
> >>> I think the case of having a 1 to 1 assignment of external IPs to
> >>> containers is an important use case to document somewhere.
> >>>
> >>> On Thu, Sep 18, 2014 at 12:09 PM, Shidan <shidan at gmail.com> wrote:
> >>>
> >>>> Hello I have multiple external IP addresses and set up iptables so
> >>>> that each container is assigned one external IP on the lxcbr0
> >>>> NATed bridge in a 1 to 1 fashion similar to this example:
> >>>>
> >>>> root at SERVER:/var/log# iptables -t nat -L
> >>>> Chain PREROUTING (policy ACCEPT)
> >>>> target     prot opt source               destination
> >>>>
> >>>> DNAT       all  --  anywhere
> >>>>   188.227.224.138     to:10.0.3.2
> >>>> DNAT       all  --  anywhere
> >>>>   188.227.224.139     to:10.0.3.3
> >>>>
> >>>> Chain INPUT (policy ACCEPT)
> >>>> target     prot opt source               destination
> >>>>
> >>>>
> >>>> Chain OUTPUT (policy ACCEPT)
> >>>> target     prot opt source               destination
> >>>>
> >>>>
> >>>> Chain POSTROUTING (policy ACCEPT)
> >>>> target     prot opt source               destination
> >>>>
> >>>> SNAT       all  --  10.0.3.2            !10.0.3.0/24
> >>>> [1]          to:188.227.224.138
> >>>> SNAT       all  --  10.0.3.3            !10.0.3.0/24
> >>>> [1]          to:188.227.224.139
> >>>>
> >>>> Now when I try to access a container from another container, I am
> >>>> just hitting the host, so for ssh for example, even if I try the
> >>>> IPs 188.227.224.139 or 10.0.3.3 from the 10.0.3.2 container I
> >>>> will actually connect to the physical hosts SSH daemon. Everything
> >>>> works fine from one connecting from/to external machines.
> >>>>
> >>>> What am I doing wrong.
> >>
> >>
> >>
> >>
> >> Links:
> >> ------
> >> [1] http://10.0.3.0/24
> >>
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20141010/e7c8aebd/attachment.html>


More information about the lxc-users mailing list